Extending addon to prevent other browser fingerprinting methods as well

[Mosrite]

Hello,

I really like your addon Random Agent Spoofer! I think the idea of a randomly changing agent is great, apparently it works well and I hope this stopped some sites from tracking me!

It would be awesome if your addon would prevent other methods of browser fingerprinting (such as enumeration of plugins, MIME-types, window/screen size and fonts) as well, though. A random change or a standardization of these attributes (whatever is more feasible respectively) would make it perfect!

Thanks for considering my suggestion! Best wishes!

[dillbyrne]

Hello @Mosrite

Currently I am actively looking into methods to prevent tracking by e tags and others. I plan to add support for changing accept headers too but they will match the original browsers that they are spoofing.

As far as I know the window/screen size can only be changed from outside the browser. One thing you can do is keep your browser set to a common screen size. Not ideal I know.

I know noscript blocks @ font-face I currently use this for it.

I will look into them and see what I can do.

Thanks for your feedback

[Mosrite]

Thank you for your fast feedback! :)

"Currently I am actively looking into methods to prevent tracking by e tags and others." There is already another addon capable of stripping e-tags: TRUSTe Tracker Protection https://addons.mozilla.org/de/firefox/addon/truste-tracker-protection/?src=search It blocks cookies, e-tags, JS, flash cookies and beacons on a domain-level. It also contains a blacklist with the most common tracker missing some important ones though. I only use it because of the e-tag function (and I only use the e-tag function, not the other ones) and it does it job! However, I would be glad if I could reduce the number of enabled addons so of course it would be great if your addon could do this, too!

"I plan to add support for changing accept headers too but they will match the original browsers that they are spoofing." Doesn't it make the browser especially recognizable if information (user agent vs accept header) contradict each other?

"I know noscript blocks @ font-face I currently use this for it." Even if I use the font-face function of NoScript this site can still enumerate my fonts: http://ip-check.info (Last entry of the test results). I don't want to disable all document fonts. Maybe there is another way e.g. a standardized list of the most common fonts? Also, this site lists all known methods of tracking and is therefore maybe a good basis for your further work? Here is a more extensive description: http://ip-check.info/description.php?lang=en

"As far as I know the window/screen size can only be changed from outside the browser. One thing you can do is keep your browser set to a common screen size. Not ideal I know." OK, too bad. At least, I think tracking based on only window and screen size wouldn't be very effective... So I can live with that.

And I just noticed something else: FF's addon page (https://addons.mozilla.org/en/firefox/) marks most addons as not feasible because of the spoofed user agent. Maybe a whitelist option would be useful?

Sorry to bother you with all my suggestions! I hope you know that I really like your addon nevertheless!

[Mosrite]

Apparently, at least the enumeration of plugins will be prevented with FF28: https://developer.mozilla.org/en-US/Firefox/Releases/28/Site_Compatibility

"DOM navigator.plugins is no longer enumerable

Bug 757726 – disallow enumeration of navigator.plugins

The PluginArray interface, returned by the window.navigator.plugins property, has been made non-enumerable and useless. This change is intended to enhance user privacy by preventing specific fingerprinting techniques. Web sites still can determine which MIME types are supported by the browser using window.navigator.mimeTypes. Mozilla is tracking some affected sites."

[dillbyrne]

@Mosrite

Sorry about the delay in getting back to you.

That is good news to hear about the enumeration.

I have looked into the links you provided and I will be able to set recommended fonts, disable local dom storage and some other extras. I will add that functionality soon enough

I will consider adding a whitelist in the future. I have a lot of work to do on it at present so I will look into it once I get that functionality working.

As for the accept headers. I was planning to match them with the user agent. for example if you check the accept headers in chrom(e/ium) and firefox, they are slightly different. The way I have implemented the addon I have a profile for each possible user agent so the matching accept headers for that browser would look like it is supposed to . I am still investigating it.

Thanks for your support and feedback.

[Mosrite]

Your plans sound great! I really appreciate your work and your effort! Thanks!

[dillbyrne]

Thanks. I will let you know when I add the font support and others. The etags and accept headers will take longer as I have some research to do on them.

[dillbyrne]

@Mosrite I have added some of the features mentioned into the latest version. It will have to undergo review before it automatically updates. if you want to try it out beforehand you can do so here https://addons.mozilla.org/en-US/firefox/addon/random-agent-spoofer/versions/?page=1#version-0.3

Let me know what you think.

[Mosrite]

I just checked it out. Thank you very much for these new features! I already knew how to toggle these options in the about:config section but it is probably of much help for other users and an easier way to do this. Unfortunately, the font setting changes the appearance of some sites significantly. I don't know yet if I will really use this setting - there should be a balance of security/privacy and usability/convenience for me. Without limiting fonts the JonDonym-test states that I have more than 200 fonts installed, with the limited settings it is only 3. Maybe, a compromise (the twenty most commonfonts, for example) would be reasonable? I don't know if this is even possible though.

Something else about the actual spoofing function: I noticed that many sites show notations that my browser is not up-to-date if an older browser is used for spoofing (e.g. if RAS pretends that I am using FF3). Maybe an additional option "Random (recent (desktop) only)" could help? Alternatively, optional checkboxes enabling every user to select himself/herself to select from which agents the random spoofer can choosee could prevent this problem. But that's just an idea, I don't know how complicated it would be to implement that.

[dillbyrne]

Thanks for your feedback .

I know the fonts do not look the best however they are the most private option. In the future I will look into trying to implement it in the same way as noscript. The method I have used in the addon and the one recommended by JonDo is a compatibility option it seems, I know of no other way to specify a set of fonts.

At the moment I have no plans to implement a selectable list of user agents due to the design but I could provide instructions on how to build a custom version with the specific user agents you want if you are interested ?

Or you could set the agent to a specific one while you use those sites. Most sites will still work despite the warnings. Also if someone was targeting you based on your browser profile and they had an exploit aimed at the older version then the exploit( assuming it was patched) would fail against the actual version of your browser.

[Mosrite]

A Noscript kinda function for fonts would be extremly awesome! I could just enable document fonts for the few news sites that really need it to look better and disable it for the rest. This would probably be even better than a compromise solution of more fonts (which apparently isn't even possible...).

As I don't know how to programme I don't think it could build my own RAS version. I can live with the current functionality and its consequences, I just wanted to report the issues that I found :) The attack preventing is an unexpected benefit!

[dillbyrne]

I will have to research it to see how I could do the fonts. I have an idea but I will have to try it out first.

it is trivial to build. you just download the source, edit the json file to remove the entries you don't want and then build it with the firefox sdk. I can give you detailed instructions if you wish. if you are on linux/unix it is even easier. I don't mind so if you want to do it let me know.

[Mosrite]

I assume I would have to change this again with every update, right? For this reason, I don't want to do this. Nevertheless, thank you very much for the offer!!!

[dillbyrne]

Yes you are correct. I will see what I can do for future versions.

[Mosrite]

Thank you so much for all your effort!

[dillbyrne]

@Mosrite No problem. if you get a chance you can help me out by rating the addon. I will close this issue for now and mention you If and when I get any of the features we discussed above done.

[dillbyrne]

@Mosrite Hello again , I have added etag spoofing support to the current version on the mozilla site and I plan to add a whitelist and options to prevent certain profiles from being chosen at random.

I wanted to keep you informed as I said I would.

[Mosrite]

Hey dillbyrne, thank you very much for informing me and further improving your addon! At first I thought the e-tag function didn't work, because the IP check test (http://ip-check.info/?lang=en) still marks e-tags red and is able to give me an ID. But then I realized that this ID changes with every reload, so apparently it works. Thank you very much! The add-on "TrustE Tracker Protection" is able to somehow disable e-tags (not the whole cache though) and with this function the IP test check gives a green signal for e-tags. Which method is more preferrable? Disabling or spoofing?

Is there an explanation somewhere what effects the "via" and the "x forwarded" spoofing function have?

I am really looking forward to the chosing and the whitelist function! :)

[dillbyrne]

I was trying to get the etags to work in the way you described but I could not get them to work in that way thus far. So I opted for the time being to do it the way the secret agent addon does it and send spoofed tags so they will never match.

The method I have implemented was the only one I could get to work on lucb1e.com/rp/cookielesscookies I do intend to return to it and try to improve it so the user is not required to send spoofed tags.

"Is there an explanation somewhere what effects the "via" and the "x forwarded" spoofing function have?"

These are basically headers that are set when using some proxy services. They don't hide your location but they can make it look like your connection went through a proxy server and that site forwarded your request . More information is available at https://stackoverflow.com/a/15252227

They are not required to be sent and are not needed. I added them as extra options should a particular user want them. Personally I don't use those options as I don't need them.

[Mosrite]

Thank you very much for these explanations! As long as the e-tag feature does its job, I'm happy with it! I'm glad I could disable another addon (TrustE) without losing functionality :)